You know how Epic Games decided to bring their popular game Fortnite to Android, but not to distribute it via the Google Play Store? Yeah, it turns out there was a pretty big security vulnerability in the installer, or at least the version that was made available through the Samsung Galaxy Apps store.
Google discovered the flaw earlier this month and reported it to Epic… who issued an update to resolve the issue pretty quickly.
The company did take issue with Google’s decision to publicly disclose the vulnerability a week later though, since it’s possible there may still be some users with the flawed version of the installer still on their devices.
In a nutshell, here’s the problem: while the Fortnite installer itself was just designed to download and install the game, the first version of the installer could be hijacked by malicious apps to silenty download and install just about anything on Samsung Galaxy phones.
Xda-developers has a detailed break-down of how the vulnerability could be exploited. In a nutshell, when you download Fortnight for Android what you’re actually installing is a small installer app that then downloads and installs the rest of the application. But because of the way the installer was added to the Samsung Galaxy Apps store… and because of the location where downloaded files were stored, malware that had previously been installed on your phone could use the Fortnite installer to download and install some other program without your knowledge, including software that would have access to all sorts of permissions such as access to your location, call history, text messages, or even camera.
The issue only affected the Samsung Galaxy Apps version of the Fortnite installer, and not the version made available for non-Samsung devices. It was patched shortly after the installer was first released.
Google waited 7 days to publicly disclose the vulnerability, following the company’s usual practice, but in a statement released to several websites, including Android Central, Epic Games CEO Tim Sweeney thanked Google for sharing the information about the vulnerability, but complains that Google decided to publicly disclose the vulnerability so soon rather than waiting 90 days to ensure that the updated version of the installer had been more widely distributed.
The good news is that not only was the vulnerable version of the Fortnite installer only available for a limited time, but it also only posed a risk if you already had malware on your phone. It’s unclear if this vulnerability was exploited by any malware at all… but it does show at least one potential risk that comes with bypassing the Google Play Store to distribute popular apps and games like Fortnite.
On the other hand, skipping the Play Store does mean Epic doesn’t have to fork over 30 percent of the revenue it makes from in-game purchases to Google, so it’s not hard to see why the company made the decisions it did.